Apparatus for performing a fault detection operation and method thereof

ABSTRACT

An apparatus for performing a fault detection operation and methods thereof are provided. The example apparatus may include a first-coordinate computing unit receiving a first point and a second point in a binary finite field, the first and second points established based on a basic point within a given elliptic curve, each of the first and second points including a first coordinate value and a second coordinate value, the first-coordinate computing unit performing a first addition operation on the first point and the second point to compute a third coordinate value and a second-coordinate computing unit performing a second addition operation on the first and second points to compute a fourth coordinate value, the first and second addition operations computed based on at least one of a difference between the first coordinate values of the first and second points and a difference between the second coordinate values of the first and second points.

PRIORITY STATEMENT

This application claims the benefit of Korean Patent Application No.10-2006-0073775, filed on Aug. 4, 2006 in the Korean IntellectualProperty Office, the disclosure of which is incorporated herein in theirentirety by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

Example embodiments of the present application relate generally to anapparatus for performing a fault detection operation and methodsthereof, and more particularly to an apparatus for performing a faultdetection operation within a cryptography system and methods thereof.

2. Description of the Related Art

Conventional encryption methods may include public key-based encryptingmethods, such as the Rivest Shamir Adleman (RSA) encrypting system andthe Elliptic Curve Cryptography (ECC) system. Conventional publickey-based encrypting methods may use a relatively large integer as apublic key to protect a system because an algorithm for integraldivision may not be defined.

In particular, the ECC system may provide security with a relativelysmall key size, and thus ECC systems may be implemented within smartcards and electronic signatures. The ECC system may include acryptographic process for encrypting/decrypting information, based on aspecific addition which is defined by a numerical formula referred to asan “elliptic curve”.

A conventional ECC system may include a random elliptic curve E, and apoint P on the elliptic curve E, as system parameters. For example, afirst user who desires to establish a cryptographic communication mayrandomly generate an integer k, and may multiply the integer k by P toobtain Q(=k×P). The first user may disclose Q as a public key, and maysecurely store the integer k as his/her secret key. Then, a second userwho desires to transmit a message M to the first user in a secret mannermay randomly generate an integer d, and may multiply d by P to obtainA(=d×P). The second user may generate B(=M+d×Q) by using the public keyQ that the first user provides and the message M to be transmitted. Thesecond user may then transmit a cryptograph A,B to the first user.

In the conventional ECC system, the first user who receives thecryptogram A,B from the second user may computes k×A based on his/hersecret key k, and may restore the message M by:

M=B−(k×A)  Equation 1

In order to “attack” or hack the conventional ECC system, a DifferentialFault Analysis (DFA) may determine the secret key for a cryptographicsystem based on the difference between variables used in a givenoperation. In the DFA, the secret key for the cryptographic system maybe determined by injecting a fault into a cryptographic system, andanalyzing the result of operation corresponding to the injected fault.

For example, the conventional ECC system may use values stored in aregister when performing a given operation. However, the value stored inthe register, or scheduled to be stored in the register, may be adjustedor altered by the fault. Thus, an error corresponding to the alteredvalue may affect the result of the given operation. Information relatingto the secret key may thereby inadvertently be disclosed based on ananalysis of the result of the given operation containing the error.

FIG. 1 is a flowchart illustrating a Calculate Twice and Check (CT&C)process 100 corresponding to a conventional DFA countermeasure. In theCT&C process 100, a random point P on an elliptic curve may be selected(at S110), a first comparison value Q1 may be computed by multiplying Pby k (at S120) and a second comparison value Q2 may be computed bymultiplying P by k (at S130), where k may be an integer value of asecret key.

Referring to FIG. 1, the first comparison result Q1 and the secondcomparison result Q2 may be compared (at S140). If the first comparisonresult Q1 and the second comparison result Q2 are equal to each other, afault or error is determined not to have occurred, and one of the firstcomparison result Q1 and the second comparison result Q2 may be outputas the result Q (at S150). Alternatively, if the first comparison resultQ1 is determined not to be equal to the second comparison result Q2, afault or error is determined to have occurred, and a warning signal maybe output instead of the result Q (at S160).

FIG. 2 is a flowchart illustrating a Check the Output Point (COP)process 200 corresponding to another conventional DFA countermeasure. Inthe conventional COP process 200 of FIG. 2, a random point P on anelliptic curve may be selected (at S210), and a comparison value Q maybe computed by multiplying P by a given integer k (at S220). The giveninteger k may denote a secret key.

Referring to FIG. 2, a determination is made as to whether thecomparison value Q is a point on the elliptic curve E (at S230). If thecomparison value Q is a point on the elliptic curve E, a fault or erroris determined not to have occurred, and the result or comparison value Qmay be output (at S240). Alternatively, if the comparison value Q isdetermined not to be a point on the elliptic curve E, an error or faultis determined to have occurred, and a warning signal may be outputinstead of the result or comparison value Q (at S250).

Referring to FIGS. 1 and 2, the CT&C process 100 of FIG. 1 may require aduplicate multiplication of the comparison values Q1 and Q2, which maywaste system resources. The COP process 200 of FIG. 2 may be moresimplistic with regard to the computations involved as compared to theCT&C process 100 of FIG. 1. However, the COP process 200 may berelatively limited and the performance thereof may not be sufficient incertain situations, such as during a fault sign changes attack.Accordingly, a Montgomery Power Ladder Algorithm (MPLA) and/or a FastMontgomery Power Ladder Algorithm (FMPLA) may be deployed in addition tothe conventional process of FIGS. 1 and/or 2 to handle the DFA.

In a conventional ECC system, a discrete logarithm operation may beperformed to compute k based on P and Q. The discrete logarithmoperation may be performed by applying the characteristics of anelliptic curve to finite fields, and may be a basis of the cryptographicprotocol. Thus, the discrete logarithm operation may refer to anoperation of computing k by using Q and P in a formula Q=k×P.

Accordingly, it will be appreciated that scalar multiplication may berepresentative of one operation performed during a conventional ECCprocess. In an example, the MPLA may constitute a portion of the scalarmultiplication in finite fields. The conventional MPLA will now bedescribed in greater detail.

The MPLA may include two variables defined as shown in Equation 2,below:

$\begin{matrix}{L_{j} = {{\sum\limits_{i = j}^{t - 1}{k_{i}2^{i - j}\mspace{31mu} H_{j}}} = {L_{j} + 1}}} & {{Equation}\mspace{20mu} 2}\end{matrix}$

wherein k may denote a random integer expressed as a plurality of binarybits (e.g., k=(k_(t−1), . . . , k₁, k₀)₂), t may denote an integer, andk_(i) may denote an ith bit of k, wherein i may denote an integer. Forexample, k_(t−1) may be equal to a first logic level (e.g., a higherlogic level or logic “1”) or a second logic level (e.g., a lower logiclevel or logic “0”).

The relationship between L_(j) and H_(j) (e.g., expressions 1 and 2,respectively) may be expressed by:

L _(j)=2L _(j+1) +k _(j) =L _(j+1) +H _(j+1) +k _(j)−1=2H _(j+1) +k_(j)−2  Equation 3

and may be alternatively expressed by:

$\begin{matrix}{\left( {L_{j},H_{j}} \right) = \left\{ \begin{matrix}{{{\left( {{2L_{j + 1}},{L_{j + 1} + H_{j + 1}}} \right)\mspace{14mu} {if}\mspace{14mu} k_{j}} = 0},} \\{{\left( {{L_{j + 1} + H_{j + 1}},{2H_{j + 1}}} \right)\mspace{14mu} {if}\mspace{14mu} k_{j}} = 1.}\end{matrix} \right.} & {{Equation}\mspace{20mu} 4}\end{matrix}$

A process of deriving Equation 4 is well-known to those of ordinaryskill in the art, and as such a detailed description thereof has beenomitted for the sake of brevity. L_(j) and H_(j) may be mapped to twopoints P₁ and P₂, respectively, on an elliptic curve in the ECC systemof FIG. 3, which will now be described in greater detail.

FIG. 3 is a flowchart illustrating a MPLA process 300 for performing thescalar multiplication within a conventional ECC system. In the MPLAprocess of FIG. 3, a basic point P and a scalar k may be received (e.g.,wherein k may be an integer) (at S301). Next, variables may be set forscalar multiplication (at S303). For example, the scalar k may be set asexpressed in Equation 2, a first variable P₁ may be set to the basicpoint P, a second variable P₂ may be set to the twice that of the basicpoint P (e.g., 2×P) and a repetitive parameter or counter i may be setor reset to t−1.

Referring to FIG. 3, after setting the variables, the scalarmultiplication Q=k×P may be computed by performing a repetitiveoperation. Thus, the counter i may be decremented (at S305) and theprocess 300 may determine whether a binary bit k_(i) is equal to 1 (atS307). The first and second variables P₁ and P₂ may be updated accordingto the determination result (at S310 or S311). In S310 and S311,“P₂←2P₂” and “P₁←2P₁” may denote a “double” operation (e.g., multiplyingby two) of elliptic curve points. In S310 and S311, “P₁←P₁+P₂” and“P₂←P₁+P₂” may denote an addition of elliptic curve points (e.g., thevalues on the right side of the arrow are added together with the resultbeing stored in the variable indicated on the left side). Adetermination may then be made as to whether i is less than zero (atS313). If i is not less than zero, the process 300 returns to S305 wherei is decremented and the repetitive portion of the process 300 repeats.Otherwise, if i is less than zero, the first variable P₁ may be outputas the scalar multiplication Q=k×P (at S315).

Referring to FIG. 3, both the addition and the double operation may beperformed for each iteration or repetition of the process 300 (e.g.,S305, S307, S310 or S311, and S313), which may degrade systemperformance. A level of system resource allocation to the process 300may be reduced with scalar multiplication in which a Y-axis is redefinedafter loop computation excluding Y-axis computation.

To perform the double operation and the addition on P₁(X₁,Z₁) andP₂(X₂,Z₂), with P₁ and P₂ representing points (e.g., having an X-axiscomponent and a Z-axis component, respectively) on an elliptic curveusing the FMPLA, the double operation and the addition in the binaryfinite field may be respectively defined as follows:

$\begin{matrix}\left\{ \begin{matrix}{Z = {Z_{i}^{2} \cdot X_{i}^{2}}} \\{X = {X_{i}^{4} + {b \cdot Z_{i}^{4}}}}\end{matrix} \right. & {{Equation}\mspace{20mu} 5} \\\left\{ \begin{matrix}{Z_{3} = \left( {{X_{1} \cdot Z_{2}} + {X_{2} \cdot Z_{1}}} \right)^{2}} \\{X_{3} = {{x \cdot Z_{3}} + {\left( {X_{1} \cdot Z_{2}} \right) \cdot \left( {X_{2} \cdot Z_{1}} \right)}}}\end{matrix} \right. & {{Equation}\mspace{20mu} 6}\end{matrix}$

In Equations 5 and 6 (above), a Y-axis may not be included within P₁ andP₂. In Equation 6, it may be assumed that the difference between theZ-axis coordinates of the difference between two points P₁(X₁,Z₁) andP₂(X₂,Z₂) (e.g., Z_(D)=Z₂−Z₁) may be “1”. However, in a fault detectingprocess used in the FMPLA, this assumption may not necessarily be true.Accordingly, if the addition in Equation 6 is applied to the faultdetecting process using the FMPLA, the ECC system may not accuratelydetermine whether a fault or error is injected into the system, whichmay degrade performance of the ECC system.

SUMMARY OF THE INVENTION

An example embodiment of the present invention is directed to a methodof performing a fault detection operation, including determining a firstpoint and a second point in a binary finite field, the first and secondpoints established based on a basic point within a given elliptic curve,each of the first and second points including a first coordinate valueand a second coordinate value, performing a first addition operation onthe first point and the second point to compute a third coordinate valueand performing a second addition operation on the first and secondpoints to compute a fourth coordinate value, the first and secondaddition operations computed based on at least one of a differencebetween the first coordinate values of the first and second points and adifference between the second coordinate values of the first and secondpoints.

Another example embodiment of the present invention is directed to anapparatus for performing a fault detection operation, including afirst-coordinate computing unit receiving a first point and a secondpoint in a binary finite field, the first and second points establishedbased on a basic point within a given elliptic curve, each of the firstand second points including a first coordinate value and a secondcoordinate value, the first-coordinate computing unit performing a firstaddition operation on the first point and the second point to compute athird coordinate value and a second-coordinate computing unit performinga second addition operation on the first and second points to compute afourth coordinate value, the first and second addition operationscomputed based on at least one of a difference between the firstcoordinate values of the first and second points and a differencebetween the second coordinate values of the first and second points.

Another example embodiment of the present invention is directed to amethod and apparatus for adding points in a binary finite field in orderto detect a fault without an error when performing a fault detectingoperation in the Fast Montgomery Power Ladder Algorithm (FMPLA).

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings are included to provide a furtherunderstanding of the invention, and are incorporated in and constitute apart of this specification. The drawings illustrate example embodimentsof the present invention and, together with the description, serve toexplain principles of the present invention.

FIG. 1 is a flowchart illustrating a Calculate Twice and Check (CT&C)process corresponding to a conventional Differential Fault Analysis(DFA) countermeasure.

FIG. 2 is a flowchart illustrating a Check the Output Point (COP)process corresponding to another conventional DFA countermeasure.

FIG. 3 is a flowchart illustrating a Montgomery Power Ladder Algorithm(MPLA) process for performing the scalar multiplication within aconventional Elliptic Curve Cryptography (ECC) system.

FIG. 4 is a flowchart illustrating a fault checking process according toan example embodiment of the present invention.

FIG. 5 is a flowchart illustrating a fault checking process according toanother example embodiment of the present invention.

FIG. 6 is a flowchart illustrating a fault checking process according toanother example embodiment of the present invention.

FIG. 7 is a flowchart illustrating a process of adding points in abinary finite field to perform a fault detecting process used in a fastMPLA (FMPLA) according to another example embodiment of the presentinvention.

FIG. 8 is a circuit diagram of an apparatus for adding points in thebinary finite field to perform a fault detecting process using theFMPLA, according to another example embodiment of the present invention.

FIG. 9 is a circuit diagram of an apparatus for adding points in thebinary finite field to perform a fault detecting process using theFMPLA, according to another example embodiment of the present invention.

FIG. 10 illustrates a squaring unit according to another exampleembodiment of the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Detailed illustrative example embodiments of the present invention aredisclosed herein. However, specific structural and functional detailsdisclosed herein are merely representative for purposes of describingexample embodiments of the present invention. Example embodiments of thepresent invention may, however, be embodied in many alternate forms andshould not be construed as limited to the embodiments set forth herein.

Accordingly, while example embodiments of the invention are susceptibleto various modifications and alternative forms, specific embodimentsthereof are shown by way of example in the drawings and will herein bedescribed in detail. It should be understood, however, that there is nointent to limit example embodiments of the invention to the particularforms disclosed, but conversely, example embodiments of the inventionare to cover all modifications, equivalents, and alternatives fallingwithin the spirit and scope of the invention. Like numbers may refer tolike elements throughout the description of the figures.

It will be understood that, although the terms first, second, etc. maybe used herein to describe various elements, these elements should notbe limited by these terms. These terms are only used to distinguish oneelement from another. For example, a first element could be termed asecond element, and, similarly, a second element could be termed a firstelement, without departing from the scope of the present invention. Asused herein, the term “and/or” includes any and all combinations of oneor more of the associated listed items.

It will be understood that when an element is referred to as being“connected” or “coupled” to another element, it can be directlyconnected or coupled to the other element or intervening elements may bepresent. Conversely, when an element is referred to as being “directlyconnected” or “directly coupled” to another element, there are nointervening elements present. Other words used to describe therelationship between elements should be interpreted in a like fashion(e.g., “between” versus “directly between”, “adjacent” versus “directlyadjacent”, etc.).

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of exampleembodiments of the invention. As used herein, the singular forms “a”,“an” and “the” are intended to include the plural forms as well, unlessthe context clearly indicates otherwise. It will be further understoodthat the terms “comprises”, “comprising,”, “includes” and/or“including”, when used herein, specify the presence of stated features,integers, steps, operations, elements, and/or components, but do notpreclude the presence or addition of one or more other features,integers, steps, operations, elements, components, and/or groupsthereof.

Unless otherwise defined, all terms (including technical and scientificterms) used herein have the same meaning as commonly understood by oneof ordinary skill in the art to which this invention belongs. It will befurther understood that terms, such as those defined in commonly useddictionaries, should be interpreted as having a meaning that isconsistent with their meaning in the context of the relevant art andwill not be interpreted in an idealized or overly formal sense unlessexpressly so defined herein.

First, a Fast Montgomery Power Ladder Algorithm (FMPLA) according to anexample embodiment of the present invention will be described, followedby a fault detecting process based upon the example FMPLA according toother example embodiments of the present invention.

In an example fault detecting process, Equation 7 (below) may be derivedfrom conventional Equations 2 and 3:

H _(j)=2L _(j+1) +k _(j)+1=L _(j+1) +H _(j+1) +k _(j)=2H _(j+1) +k_(j)−1  Equation 7

Equation 8 (below) may then be derived based on Equation 7, as shownbelow:

H _(j) =L _(j)+1 2H _(j+1) =H _(j)+1|_(if(k) _(j) ₌₀₎  Equation 8

wherein H_(j)=L_(j)+1 may be expressed as shown in conventional Equation2.

In order to determine whether an error or fault is injected in aprevious computation, H_(j) and L_(j) may be included in a computation.A Montgomery process, in which the sum of two points P₁ and P₂ may becomputed on X-axis coordinates without X-axis coordinates, may be basedon information relating to the difference between the two points P₁ andP₂.

In order to use the Montgomery process to derive a fault checkingoperation, and satisfy the indistinguishability operation equilibriumaccording to power tracks analysis, two example conditions based onwhich logic level k_(j) is set to may be employed.

In a first example condition, if k_(j) is equal to a first logic level(e.g., a higher logic level or logic “1”, such that k_(j)=1), a faultchecking operation may be performed as follows:

1. L_(j)−1 may be computed by performing a “double” operation by:

L _(j)−1=2L _(j+1) +k _(j)−1|_(if(k) _(j) ₌₁₎=2L _(j+1)  Equation 9

2. L_(j)+1 may be computed by performing an addition operation on theresult the double operation.

3. L_(j)+1=H_(j) may be checked for a fault or error. Here, H_(j) maydenote a previously computed value.

In a second example condition, if k_(j) is equal to a second logic level(e.g., a lower logic level or logic “0”, such that k_(j)=0), the faultchecking operation may be performed as follows:

1. 2H_(j+1) may be computed by performing the double operation by:

H _(j)+1=2H _(j+1) +k _(j)−1+1|_(if(k) _(j) ₌₀₎=2H _(j+1)  Equation 10

2. H_(j)+1 may be computed by performing the addition, in considerationof L_(j).

3. H_(j)+1=2H_(j+1), may be determined. Here, 2H_(j)+1 may denote apreviously computed value.

In an example, if a fault or error is not injected into the system, thedifference between L_(j) and H_(j) may be equal to “1”. Thus, if a faultis not injected in the above operation, L_(j)+1=H_(j) and/orH_(j)+1=2H_(j+1). Also, H_(j) and L_(j) may be used in the determinationas to whether L_(j)+1=H_(j) and/or whether H_(j)+1=2H_(j+1), such that adetermination as to whether a fault or error has occurred may beperformed with respect to each of the two computed points.

Example embodiments of a fault checking process based on FMPLA will nowbe described in greater detail. In an example, a regular checkingprocess and/or a random checking process may be performed to determinewhether a fault or error is injected during performing the scalarmultiplication. Further, an at-the-end checking process may be performedto determine whether a fault or error is injected, after performing thescalar multiplication and/or prior to outputting of a result ofperforming the scalar multiplication.

For example, the regular checking process may be performed to determinewhether a fault or error is injected for each iteration or repetition ofthe scalar multiplication. In another example, the random checkingprocess may be performed during the scalar multiplication only atrandomly selected iterations or repetitions, and not necessarily foreach iteration or repetition.

FIG. 4 is a flowchart illustrating a fault checking process 400according to an example embodiment of the present invention. In theexample embodiment of FIG. 4, checking may be performed for eachiteration of a repeated portion of a scalar multiplication process.Generally, in the example embodiment of FIG. 4 basic point P and ascalar k may be received (at S401), and k and P may be used to performscalar multiplication Q(=k×P) (at S429).

In the example embodiment of FIG. 4, the basic point P, which may belocated on a given elliptic curve, may be stored in memory (e.g., anEEPROM). The scalar k has been described above respect to conventionalEquation 2 in the Background of the Invention section. The basic point Pand the scalar k may be received (at S401), and parameters or points forencryption may be reset or set (at S403).

In the example embodiment of FIG. 4, a first point P₁ and a second pointP₂ may be reset using the basic point P (at S403). For example, thefirst point P₁ may be reset to the basic point P and the second point P₂may be reset to double or twice that of the basic point P. Afterresetting the parameters (at S403), a repetitive operation may beperformed to compute the scalar multiplication Q (at S405 through S413and S427).

In the example embodiment of FIG. 4, counter i may designate a given bitamong a number of binary bits within scalar k. In an example, thecounter i may initially be set (e.g., during a first iterative of therepetitive or loop process) to one minus the maximum number ofrepetitions of the repetitive operation of FIG. 4 (at S405 through S413and S427). Thus, for each repetition, the counter i may be decrementedby 1 (at S405). Then, temporary variables T₁ and T₂ may be set to beequal to P₁ and P₂, respectively (at S407). If binary bit k_(i) is equalto a first logic level (e.g., a higher logic level or logic “1”) (atS409), then P₂ may be “doubled” and T₂ may be added to P1 (at S411).Otherwise, if binary bit k_(i) is equal to a second logic level (e.g., alower logic level or logic “0”) (at S409), then P₁ may be “doubled” andT₁ may be added to P2.

In the example embodiment of FIG. 4, whether a fault is injected may bechecked during each resetting of the variables and/or points, thus thatfault-checking may be performed continuously (e.g., not just after alliterations of the repetitive operation). An operation of checkingwhether a fault is injected will now be described (S415 through S423).

In the example embodiment of FIG. 4, the binary bit k_(i) may beanalyzed to determine the binary bit k_(i) corresponds to the first orsecond logic level (at S415). If the binary bit k_(i) is determined tocorrespond to the first logic level (e.g., a higher logic level or logic“1”), T1 may be “doubled”, and the sum of the first point P₁, which maybe determined based on the first variable T₁ and the basic point P, maybe reset to the first variable T₁ (at S417). The second point P₂ maythen be compared with the reset first variable T₁ (at S419). If thesecond point P₂ and the reset first variable T₁ are equal to each other,a determination may be made that a fault has not been injected into thesystem; otherwise, a determination may be made that a fault has beeninjected into the system.

In the example embodiment of FIG. 4, if the binary bit k_(i) is equal tothe second logic level (e.g., a lower logic level or logic “0”) (atS415), the second variable T₂ may be doubled, and the sum of the secondpoint P₂, that may be determined according to the first variable T₁ andthe basic point P, may be reset to the first variable T₁ (at S421). Thedoubled second variable T₂ may then be compared with the reset firstvariable T₁ (at S423). If the doubled second variable T₂ and the resetfirst variable T₁ are equal to each other, a determination may be madethat a fault has not been injected into the system; otherwise, adetermination may be made that a fault has been injected into thesystem.

In the example embodiment of FIG. 4, if it is determined that a fault isnot injected (e.g., at S419 or S423), a determination may be made as towhether the counter i is less than 0 (at S427). If it is determined thatthe counter i is not less than 0, the process 400 may return to S405.Otherwise, if the counter i is less than 0, the first point P₁ may beoutput as the scalar multiplication Q (at S429). Otherwise, if it isdetermined that a fault is injected (e.g., at S419 or S423), a warningsignal may be output (at S425).

FIG. 5 is a flowchart illustrating a fault checking process 500according to another example embodiment of the present invention. In theexample embodiment of FIG. 5, fault checking may be performed after aseries of repetitive scalar multiplications. Thus, similar to theprocess 400 of FIG. 4, a first point and a second point may be resetaccording to a binary bit k_(i) (at S511 and S513). Then, adetermination may be made as to whether the counter i is less than zero(at S515). As shown in the example embodiment of FIG. 5, the process 500of FIG. 5 may be similar to the process 400 of FIG. 4 except that thedetermination of S427 may be moved to the position of S515 in FIG. 5,such that the “fault checking” steps may correspond to S517 to S527 inFIG. 5 (e.g., after the repetitive process or loop) as opposed to S415to S427 (e.g., during each iteration of the repetitive process or loop).

FIG. 6 is a flowchart illustrating a fault checking process 600according to another example embodiment of the present invention. In theexample embodiment of FIG. 6, an example “random” checking process maybe performed to determine whether a fault is injected into the systemafter a scalar multiplication is performed

In the example embodiment of FIG. 6, S601 may correspond to S501 of FIG.5 and/or S401 of FIG. 4. S603 may also correspond to S503 of FIG. 5and/or S403 of FIG. 4. However, in S603, a checking rate RATE may be setalong with the parameters for encryption. A checking value CHECK, whichmay be randomly generated, may then be received (in S605). For example,both the checking value CHECK and the checking rate RATE may be in arange from 0 to 100. If the checking rate RATE is set to 70, and therandomly-generated checking value CHECK is 70 or less, a fault checkingprocess (e.g., S619 through S625) may be performed. Otherwise, if thechecking value CHECK is greater than 70, the fault checking process maynot be performed and the process 600 may advance directly to S631.

Accordingly, it will be appreciated that the fault checking process maybe performed for less than all of the binary bits ki, based on thevalues of the randomly-generated checking value CHECK and theestablished checking rate RATE. The checking rate RATE may be used todetermine the frequency of checking whether a fault is injected.

In the example process 400 through 600 illustrated in FIGS. 4 through 6,respectively, the “double” operation and the addition may be performedon points on an elliptic curve in order to reset a first point P₁ and asecond point P₂. However, as described above, if the addition expressedin Equation 6 is used as the addition performed in 413, 417, 519, 523,621, and/or 625, it may not be possible to perfectly perform faultdetection.

FIG. 7 is a flowchart illustrating a process 700 of adding points in abinary finite field to perform a fault detecting process used in a FMPLAaccording to another example embodiment of the present invention.

In the example embodiment of FIG. 7, a first coordinate (X₃) may becomputed by performing an addition operation based on a first point anda second point in the binary finite field (at S720). In an example, thefirst and second points may be set using a basic point on an ellipticcurve, in the binary finite field (S720). A second coordinate (Z₃) maythen be computed by performing another addition operation on the firstpoint and the second point in the binary finite field (at S740).

A result P₃(X₃, Z₃) of performing the addition on the first and secondpoints P₁ and P₂ in the binary finite field may be expressed as follows:

$\begin{matrix}\left\{ \begin{matrix}{Z_{3} = {Z_{D} \cdot \left( {{X_{1} \cdot Z_{2}} + {X_{2} \cdot Z_{1}}} \right)^{2}}} \\{X_{3} = {{X_{D} \cdot \left( {{X_{1} \cdot Z_{2}} + {X_{2} \cdot Z_{1}}} \right)^{2}} + {Z_{D} \cdot \left( {X_{1} \cdot Z_{2}} \right) \cdot \left( {X_{2} \cdot Z_{1}} \right)}}}\end{matrix}\quad \right. & {{Equation}\mspace{20mu} 11}\end{matrix}$

In another example, a basic point P may indicate a point on Affinecoordinates, and thus, the second coordinate of the second point P₂ maybe replaced with a “1”. In an example, the result P₃(X₃, Z₃) ofperforming the addition on the first and second points P₁ and P₂ in thebinary finite field may be expressed as follows:

$\begin{matrix}\left\{ \begin{matrix}{Z_{3} = {Z_{D} \cdot \left( {X_{1} + {X_{2} \cdot Z_{1}}} \right)^{2}}} \\{X_{3} = {{X_{D} \cdot \left( {X_{1} + {X_{2} \cdot Z_{1}}} \right)^{2}} + {Z_{D} \cdot X_{1} \cdot \left( {X_{2} \cdot Z_{1}} \right)}}}\end{matrix} \right. & {{Equation}\mspace{20mu} 12}\end{matrix}$

As illustrated in Equations 11 and 12, the difference Z_(D) between thesecond coordinates of the first and second points P₁ and P₂ may be usedduring the addition operation for two points (P₁ and P₂) in the binaryfinite field, thereby more accurately or precisely performing a faultdetecting process using the Montgomery algorithm.

FIG. 8 is a circuit diagram of an apparatus 800 for adding points in thebinary finite field to perform a fault detecting process using theFMPLA, according to another example embodiment of the present invention.

In the example embodiment of FIG. 8, the apparatus 800 may include afirst-coordinate computing unit and a second-coordinate computing unit.The first-coordinate computing unit may compute a first coordinate X₃ byperforming the addition on a first point P₁ and a second point P₂, withthe first and second points P₁ and P₂ being set using a basic point onan elliptic curve, in the binary finite field. The second-coordinatecomputing unit may compute a second coordinate Z₃ by performing anaddition on the second coordinates of the first point P₁ and the secondpoint P₂ in the binary finite field.

In the example embodiment of FIG. 8, the first and second-coordinatecomputing units may respectively compute the first and secondcoordinates X₃ and Z₃ based on the difference between the secondcoordinates of the first and second points P₁ and P₂.

In the example embodiment of FIG. 8, the first-coordinate computing unitmay include first through fifth multipliers X1 through X5, first andsecond adders +1 and +2 and a first squaring unit S1. The firstmultiplier X1 may compute a first multiplication value (X₁×Z₂) bymultiplying X₁ by Z₂. The second multiplier X2 may compute a secondmultiplication value (X₂×Z₁) by multiplying X₂ by Z₁. The first adder +1may compute a first addition value (X₁×Z₂+X₂×Z₁) by adding the firstmultiplication value and the second multiplication value. The firstsquaring unit S1 may compute a first square ((X₁×X₂+X₂×Z₁)²) by squaringthe first addition value. The first squaring unit S1 may square thefirst addition value by squaring the first addition value. The thirdmultiplier X3 may compute a third multiplication value(X_(D)×(X₁×Z₂)+X₂×Z₁)²) by multiplying the first square by X_(D).

In the example embodiment of FIG. 8, the fourth multiplier X4 maycompute a fourth multiplication value ((X₁×Z₂)×(X₂×Z₁)) by multiplyingthe first multiplication value by the second multiplication value. Thefifth multiplier X5 may compute a fifth multiplication value(Z_(D)×(X₁×Z₂)×(X₂×Z₁)) by multiplying the fourth multiplication valueby Z_(D).

In the example embodiment of FIG. 8, the second adder +2 may compute anX coordinate (X₃), which may be the result of performing the addition onthe first and second points in the binary finite field, by adding thethird multiplication value and the fifth multiplication value.

In the example embodiment of FIG. 8, the second computing unit C22 mayinclude multipliers X21, X22, and X23, an adder +21 and a squaring unitS21. The multiplier X21 may compute a multiplication value (X₁×Z₂) bymultiplying X₁ by Z₂. The multiplier X22 may compute a multiplicationvalue (X₂×Z₁) by multiplying X₂ by Z₁. The adder +21 may compute anaddition value (X₁×Z₂+X₂×Z₁) by adding the multiplication value (X₁×Z₂)of the multiplier X21 and the multiplication value (X₂×Z₁) of themultiplier X22.

In the example embodiment of FIG. 8, the squaring unit S21 may compute asquare ((X₁×Z₂+X₂×Z₁)²) by squaring the addition value of the adder +21.The squaring unit S21 may square the addition value by adding theaddition value of the adder +21 with the addition value of the adder+21. The multiplier X23 may compute a Z-coordinate (Z₃), which may bethe result of performing the addition on the first and second points inthe binary finite field, by multiplying the square by Z_(D). In anexample, the multiplier X21 and the multiplier X22 of thesecond-coordinate computing unit may correspond to the first multiplierX1 and the second multiplier X2 of the first-coordinate computing unit,respectively. In another example, the adder +21 and the squaring unitS21 of the second-coordinate computing unit may correspond to the firstadder +1 and the first squaring unit S1 of the first-coordinatecomputing unit, respectively.

In an example, Equation 11 may be computed by the apparatus 800 of FIG.8, and Equation 12 may be computed by another example apparatus foradding points in the binary finite field, which will now be describedwith reference to FIG. 9.

FIG. 9 is a circuit diagram of an apparatus 900 for adding points in thebinary finite field to perform a fault detecting process using theFMPLA, according to another example embodiment of the present invention.

In the example embodiment of FIG. 9, the example operation of theapparatus 900 may be the same as that of the apparatus 800 of FIG. 8,except that the apparatus 900 of FIG. 9 may further perform the additionon points if a second coordinate (e.g., a Z coordinate) of second pointP₂ is equal to the first logic level (e.g., a higher logic level orlogic “1”). Therefore, the apparatus 900 may be structurally similar tothat of the apparatus 800 of FIG. 8, while including fewer multipliersas compared to the apparatus 800. In another example, a construction andoperation of the first-coordinate computing unit and thesecond-coordinate computing unit of the apparatus 900 may be the same asthat of the apparatus 800 of FIG. 8.

FIG. 10 illustrates a squaring unit S according to another exampleembodiment of the present invention. In an example, the example squaringunit S may be included as the squaring units described above withrespect to the example embodiments of FIGS. 8 and/or 9.

In the example embodiment of FIG. 10, the squaring unit S may multiply agiven input value 11 by itself. In an example, the squaring unit S maycorrespond to the first squaring unit S1 and the squaring unit S21illustrated in FIGS. 8 and 9. The squaring unit S may be configured suchthat an input value may be multiplied by itself, thereby reducing alayout area of the apparatus 800 and/or 900 of FIGS. 8 and 9,respectively.

In another example embodiment of the present invention, a method andapparatus for adding points in the binary finite field may be capable ofmore accurately or precisely performing a fault detecting process in acryptographic system that uses the FMPLA.

Example embodiments of the present invention being thus described, itwill be obvious that the same may be varied in many ways. For example,while the example embodiments of charge pump circuits are abovedescribed directed to FMPLA, it is understood that other exampleembodiments of the present invention may be directed to any well-knownfault detection process (e.g. MPLA, etc.).

Further, it is understood that the above-described first and secondlogic levels may correspond to a higher level and a lower logic level,respectively, in an example embodiment of the present invention.Alternatively, the first and second logic levels/states may correspondto the lower logic level and the higher logic level, respectively, inother example embodiments of the present invention.

Such variations are not to be regarded as a departure from the spiritand scope of example embodiments of the present invention, and all suchmodifications as would be obvious to one skilled in the art are intendedto be included within the scope of the following claims.

1. A method of performing a fault detection operation, comprising:determining a first point and a second point in a binary finite field,the first and second points established based on a basic point within agiven elliptic curve, each of the first and second points including afirst coordinate value and a second coordinate value; performing a firstaddition operation on the first point and the second point to compute athird coordinate value; and performing a second addition operation onthe first and second points to compute a fourth coordinate value, thefirst and second addition operations computed based on at least one of adifference between the first coordinate values of the first and secondpoints and a difference between the second coordinate values of thefirst and second points.
 2. The method of claim 1, wherein the faultdetecting operation is performed within an elliptic curve cryptographysystem employing a fast Montgomery power ladder algorithm (FMPLA). 3.The method of claim 1, wherein the first coordinate values and the thirdcoordinate value correspond to X-axis coordinates and the secondcoordinate values and the fourth coordinate value correspond to Z-axiscoordinates.
 4. The method of claim 3, wherein, if the first point isdenoted as P₁(X₁, Z₁), the second point is denoted as P₂(X₂, Z₂), adifference point between P₁ and P₂ is denoted as P_(D)(X_(D),Z_(D)), thethird coordinate value is denoted as X₃, the fourth coordinate value isdenoted as Z₃, and a resultant point is denoted as P₃(X₃, Z₃), the firstand second additional operations are respectively represented asfollows: $\left\{ \begin{matrix}{Z_{3} = {Z_{D} \cdot \left( {{X_{1} \cdot Z_{2}} + {X_{2} \cdot Z_{1}}} \right)^{2}}} \\{X_{3} = {{X_{D} \cdot \left( {{X_{1} \cdot Z_{2}} + {X_{2} \cdot Z_{1}}} \right)^{2}} + {Z_{D} \cdot \left( {X_{1} \cdot Z_{2}} \right) \cdot {\left( {X_{2} \cdot Z_{1}} \right).}}}}\end{matrix}\quad \right.$
 5. The method of claim 4, wherein the secondcoordinate value of the second point (Z₂) is equal to
 1. 6. The methodof claim 1, wherein the second coordinate value of the second point hasa fixed value.
 7. The method of claim 6, wherein the fault detectingoperation is performed within an elliptic curve cryptography systememploying a fast Montgomery power ladder algorithm (FMPLA).
 8. Themethod of claim 6, wherein the first coordinate values and the thirdcoordinate value correspond to X-axis coordinates and the secondcoordinate values and the fourth coordinate value correspond to Z-axiscoordinates.
 9. The method of claim 8, wherein the second coordinatevalue of the second point is equal to
 1. 10. The method of claim 9,wherein, if the first point is denoted as P₁(X₁, Z₁), the second pointis denoted as P₂(X₂, 1), a difference point between P₁ and P₂ is denotedas P_(D)(X_(D),Z_(D)), the third coordinate value is denoted as X₃, thefourth coordinate value is denoted as Z₃, and a resultant point isdenoted as P₃(X₃, Z₃), the first and second additional operations arerespectively represented as follows: $\left\{ \begin{matrix}{Z_{3} = {Z_{D} \cdot \left( {X_{1} + {X_{2} \cdot Z_{1}}} \right)^{2}}} \\{X_{3} = {{X_{D} \cdot \left( {X_{1} + {X_{2} \cdot Z_{1}}} \right)^{2}} + {Z_{D} \cdot X_{1} \cdot {\left( {X_{2} \cdot Z_{1}} \right).}}}}\end{matrix}\quad \right.$
 11. An apparatus for performing a faultdetection operation, comprising: a first-coordinate computing unitreceiving a first point and a second point in a binary finite field, thefirst and second points established based on a basic point within agiven elliptic curve, each of the first and second points including afirst coordinate value and a second coordinate value, thefirst-coordinate computing unit performing a first addition operation onthe first point and the second point to compute a third coordinatevalue; and a second-coordinate computing unit performing a secondaddition operation on the first and second points to compute a fourthcoordinate value, the first and second addition operations computedbased on at least one of a difference between the first coordinatevalues of the first and second points and a difference between thesecond coordinate values of the first and second points.
 12. Theapparatus of claim 11, wherein the first and second coordinate computingunits are included within an elliptic curve cryptography systememploying a fast Montgomery power ladder algorithm (FMPLA).
 13. Themethod of claim 11, wherein the first coordinate values and the thirdcoordinate value correspond to X-axis coordinates and the secondcoordinate values and the fourth coordinate value correspond to Z-axiscoordinates.
 14. The apparatus of claim 13, wherein, if the first pointis denoted as P₁(X₁, Z₁), the second point is denoted as P₂(X₂, Z₂), adifference point between P₁ and P₂ is denoted as P_(D)(X_(D),Z_(D)), thethird coordinate value is denoted as X₃, the fourth coordinate value isdenoted as Z₃, and a resultant point is denoted as P₃(X₃, Z₃), the firstand second additional operations are respectively represented asfollows: $\left\{ \begin{matrix}{Z_{3} = {Z_{D} \cdot \left( {{X_{1} \cdot Z_{2}} + {X_{2} \cdot Z_{1}}} \right)^{2}}} \\{X_{3} = {{X_{D} \cdot \left( {{X_{1} \cdot Z_{2}} + {X_{2} \cdot Z_{1}}} \right)^{2}} + {Z_{D} \cdot \left( {X_{1} \cdot Z_{2}} \right) \cdot {\left( {X_{2} \cdot Z_{1}} \right).}}}}\end{matrix}\quad \right.$
 15. The apparatus of claim 14, wherein thefirst-coordinate computing unit includes: a first multiplier computing afirst multiplication value (X₁×Z₂) by multiplying X₁ by Z₂; a secondmultiplier computing a second multiplication value (X₂×Z₁) bymultiplying X₂ by Z₁; a first adder computing a first addition value(X₁×Z₂+X₂×Z₁) by adding the first multiplication value and the secondmultiplication value; a squaring unit computing a square (X₁×Z₂+X₂×Z₁)²by squaring the first addition value; a third multiplier computing athird multiplication value (X_(D)×(X₁×Z₂)+X₂×Z₁)² by multiplying thefirst square by X_(D); a fourth multiplier computing a fourthmultiplication value ((X₁×Z₂)×X₂×Z₁)) by multiplying the firstmultiplication value by the second multiplication value; a fifthmultiplier computing a fifth multiplication value (Z_(D)×(X₁×Z₂)+X₂×Z₁))by multiplying the fourth multiplication value by Z_(D); and a secondadder computing the third coordinate value (X₃) by adding the thirdmultiplication value and the fifth multiplication value.
 16. Theapparatus of claim 15, wherein the squaring unit multiplies the firstaddition value by the first addition value
 17. The apparatus of claim14, wherein the second computing unit includes: a first multipliercomputing a first multiplication value (X₁×Z₂) by multiplying X₁ by Z₂;a second multiplier computing a second multiplication value (X₂×Z₁) bymultiplying X₂ by Z₁; a first adder computing a first addition value(X₁×Z₂+X₂×Z₁) by adding the first multiplication value and the secondmultiplication value; a squaring unit computing a square((X₁×Z₂+X₂×Z₁)²) by squaring the first addition value; and a -thirdmultiplier computing the fourth coordinate value (Z₃) by multiplying thefirst multiplication by Z_(D).
 18. The apparatus of claim 17, whereinthe squaring unit multiplies the first addition value by the firstaddition value.
 19. The apparatus of claim 11, wherein the secondcoordinate of the second point has a fixed value.
 20. The apparatus ofclaim 19, wherein the first and second coordinate computing units areincluded within an elliptic curve cryptography system employing a fastMontgomery power ladder algorithm (FMPLA).
 21. The method of claim 20,wherein the first coordinate values and the third coordinate valuecorrespond to X-axis coordinates and the second coordinate values andthe fourth coordinate value correspond to Z-axis coordinates.
 22. Theapparatus of claim 21, wherein the second coordinate of the second pointis equal to “1”.
 23. The apparatus of claim 22, wherein, if the firstpoint is denoted as P₁(X₁, Z₁), the second point is denoted as P₂(X₂,1), a difference point between P₁ and P₂ is denoted asP_(D)(X_(D),Z_(D)), the third coordinate value is denoted as X₃, thefourth coordinate value is denoted as Z₃, and a resultant point isdenoted as P₃(X₃, Z₃), the first and second additional operations arerespectively represented as follows: $\left\{ \begin{matrix}{Z_{3} = {Z_{D} \cdot \left( {X_{1} + {X_{2} \cdot Z_{1}}} \right)^{2}}} \\{X_{3} = {{X_{D} \cdot \left( {X_{1} + {X_{2} \cdot Z_{1}}} \right)^{2}} + {Z_{D} \cdot X_{1} \cdot {\left( {X_{2} \cdot Z_{1}} \right).}}}}\end{matrix}\quad \right.$
 24. The apparatus of claim 23, wherein thefirst-coordinate computing unit includes: a first multiplier computing afirst multiplication value (X₂×Z₁) by multiplying X₂ by Z₁; a firstadder computing a first addition value (X₁+X₂×Z₁) by adding the firstmultiplication value and X₁; a squaring unit computing a square((X₁×Z₂+X₂×Z₁)²) by squaring the first addition value; a secondmultiplier computing a second multiplication value(X_(D)×(X₁×Z₂+X₂×Z₁)²) by multiplying the first square by X_(D); a thirdmultiplier computing a third multiplication value (X₁×(X₂×Z₁)) bymultiplying the first multiplication value by X₁; a fourth multipliercomputing a fourth multiplication value (Z_(D)×X₁×(X₂×Z₁)) bymultiplying the third multiplication value by Z_(D); and a second addercomputing an the third coordinate value (X₃), by adding the secondmultiplication value and the fourth multiplication value.
 25. Theapparatus of claim 24, wherein the squaring unit multiplies the firstaddition value by the first addition value.
 26. The apparatus of claim23, wherein the second computing unit includes: a first multipliercomputing a first multiplication value (X₂×Z₁) by multiplying X₂ by Z₁;a first adder computing a first addition value (X₁+X₂×Z₁) by adding thefirst multiplication value and X₁; a squaring unit computing a firstsquare ((X₁+X₂×Z₁)²) by squaring the first addition value; and a thirdmultiplier computing the fourth coordinate value (Z₃) by multiplying thefirst square by Z_(D).
 27. The apparatus of claim 26, wherein the firstsquaring unit multiplies the first addition value by the first additionvalue.